Efficient Hyperelliptic Curve Arithmetic Using Tau-adic Expansions

INTRODUCTION Security of public key cryptographic protocols is based on the apparent difficulty of a mathematical problem. Perhaps the most famous of these problems is that of factoring a composite number into primes, on which the security of the system known as RSA [1] relies. The standard cryptographic protocols like Diffie-Hellman [2] key exchange, ElGamal [3] encryption, and digital signature are based on the difficulty of solving the discrete logarithm problem of a finite group. In a cyclic group G generated by element g, it is believed that if g x = y, where x is an integer, then given y and g, it is not easy to compute x. For cryptographic purposes the group G should be equipped with fast arithmetic so that the encryption and decryption are practical and yet the discrete logarithm problem should be hard so that the cryptanalysis is difficult. Thus, G must be a commutative finite algebraic group. This limits us to the product of a finite number of copies of the additive and multiplicative groups of finite fields and a finite number of copies of Jacobians of curves. Also the group should be chosen in a manner that it survives the known attacks. For example the group must have a subgroup of large prime order; otherwise, it will be susceptible to the Polig-Hellman attack [4]. Historically the multiplicative groups of finite fields were used for cryptographic purposes , but in the mid-1980s Miller [5] and Koblitz [6] proposed replacing the group F * q by the group of rational points of an elliptic curve E(F q). In 1989 Koblitz [7] extended the 1 idea to the Picard group of a hyperelliptic curve. The group Pic 0 (C/F q) provides a larger class of curves to chose from over smaller field sizes in comparison to elliptic curves. For F * q there exist a subexponential attack called the index calculus [8]. This attack is much faster than the generic square root attacks. Unlike the multiplicative group of a finite field, there is no subexponential attack known for the group of points on the elliptic curve over a finite field. This is also true for hyperelliptic curves with small genus as well. For larger genus g ≥ 4, there exists the subexponential attack by Adleman et al. [9]. There is a problem using the elliptic or hyperelliptic curves: the added complexity of performing arithmetic. Koblitz …